# Push to main → scp backend to ark-library-backend-admin-1, rebuild local admin API (:8081).
#
# Admin host is a local SSH alias only. Default: Tailscale 100.91.140.90.
# The Gitea act runner must be on the same Tailscale tailnet, OR set DEPLOY_HOST.
#
# Server must have ~/arkieproject/.env (DATABASE_URL, S3_*, JWT_SECRET, etc.) — bootstrap once manually.
# Admin UI/nginx is deployed from Arkie-Library-Admin (separate workflow).
#
# Secrets:
#   DEPLOY_SSH_KEY   — required (ark-library.pem)
#   DEPLOY_HOST      — optional (default 100.91.140.90)
#   DEPLOY_USER      — optional (default ec2-user)
#   REMOTE_REPO      — optional (default /home/ec2-user/arkieproject)

name: Deploy Admin API

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
  DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
  REMOTE_REPO: ${{ secrets.REMOTE_REPO }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Resolve deploy target
        run: |
          repo="${REMOTE_REPO:-/home/ec2-user/arkieproject}"
          echo "DEPLOY_HOST=${DEPLOY_HOST:-100.91.140.90}" >> "$GITHUB_ENV"
          echo "DEPLOY_USER=${DEPLOY_USER:-ec2-user}" >> "$GITHUB_ENV"
          echo "REMOTE_REPO=${repo}" >> "$GITHUB_ENV"
          echo "REMOTE_BACKEND=${repo}/backend" >> "$GITHUB_ENV"

      - name: Configure SSH
        env:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          if [[ -z "${DEPLOY_SSH_KEY}" ]]; then
            echo "Missing repository secret DEPLOY_SSH_KEY" >&2
            exit 1
          fi
          install -d -m 700 ~/.ssh
          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          {
            echo "Host deploy-target"
            echo "  HostName ${DEPLOY_HOST}"
            echo "  User ${DEPLOY_USER}"
            echo "  IdentityFile ~/.ssh/deploy_key"
            echo "  StrictHostKeyChecking accept-new"
            echo "  ConnectTimeout 30"
          } >> ~/.ssh/config
          chmod 600 ~/.ssh/config
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true

      - name: Verify SSH reachability
        run: |
          ssh -o BatchMode=yes -o ConnectTimeout=15 deploy-target "echo ok"

      - name: Package backend sources
        run: |
          tar czf /tmp/backend-deploy.tar.gz \
            --exclude='./.git' \
            --exclude='./uploads' \
            --exclude='./.env' \
            --exclude='./.env.*' \
            --exclude='./.DS_Store' \
            --exclude='./.gitea' \
            -C . .

      - name: Deploy backend sources (scp)
        run: |
          scp -o ConnectTimeout=30 /tmp/backend-deploy.tar.gz deploy-target:/tmp/backend-deploy.tar.gz
          scp -o ConnectTimeout=30 deploy/docker-compose.admin-host-api.yml \
            deploy-target:/tmp/docker-compose.admin-host-api.yml
          ssh deploy-target bash -s <<REMOTE
          set -euo pipefail
          REMOTE_BACKEND="${REMOTE_BACKEND}"
          REMOTE_REPO="${REMOTE_REPO}"
          mkdir -p "\${REMOTE_BACKEND}" "\${REMOTE_REPO}/deploy"
          find "\${REMOTE_BACKEND}" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
          tar xzf /tmp/backend-deploy.tar.gz -C "\${REMOTE_BACKEND}"
          rm -f /tmp/backend-deploy.tar.gz
          mv /tmp/docker-compose.admin-host-api.yml "\${REMOTE_REPO}/deploy/docker-compose.admin-host-api.yml"
          REMOTE

      - name: Rebuild and restart admin API container
        run: |
          ssh deploy-target bash -s <<REMOTE
          set -euo pipefail
          cd "${REMOTE_REPO}"
          if [[ ! -f .env ]]; then
            echo "Missing ${REMOTE_REPO}/.env on server — bootstrap DATABASE_URL + S3_* once." >&2
            exit 1
          fi
          export DOCKER_BUILDKIT=1
          export COMPOSE_DOCKER_CLI_BUILD=1
          DC='sudo -E docker compose -f deploy/docker-compose.admin-host-api.yml --env-file .env'
          \${DC} build api
          \${DC} up -d api
          \${DC} ps api
          curl -sS -o /dev/null -w "api categories %{http_code}\n" http://127.0.0.1:8081/api/categories
          REMOTE